Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

The crisis of modernization in the Public Sector

By Alan Gush


In early April 2020, many states, including New Jersey, Kansas, and Connecticut, were overwhelmed as their antiquated  COBOL systems buckled under the traffic of hundreds of thousands of unemployment applications. News outlets underscored the growing need for modernization and maintenance of legacy government systems. Local, state, and federal governments employ over 1,000 COBOL and 600 Fortran developers to maintain their increasingly outdated legacy infrastructure.  Many of these essential systems have been cobbled together over decades and are too costly and complex to modernize without significant operational impact. Consider that Fortran and COBOL were developed in 1957 and 1959, respectively. Even accounting for more recent editions and updates to the languages, systems operating on COBOL and Fortran may not be possible to upgrade in the short-term or sustain in the long-term. Plus, outdated dependencies, such as synchronization with processor speed and frequency, render the systems increasingly fragile. An entire system could be lost if an essential component breaks and cannot be replaced.  Reliance on operating systems and applications written in these archaic programming languages is untenable. It behooves organizations to modernize their systems or at least migrate to more sustainable and reliable infrastructure. Organizations that need custom or adaptable systems or that lack the resources for expensive licenses may consider affordable Linux systems to replace their legacy architectures. Moreover, advances in polymorphic security solutions can be applied to Linux distributions to mitigate cyberattacks by limiting the efficacy of vulnerability exploitation while maximizing the risk and resource consumption to the attacker.

The Modernization Crisis Impacts the Public and Private Sector

Former Federal CIO Tony Scott estimated in 2015 that the government spent $0.73 of every dollar maintaining mission essential legacy technologies that nevertheless still posed significant security risks to organizations. These systems were often:

  • Incompatible with modern security platforms
  • Lack features to support integrated defenses around the critical data, systems, and operations processes.
  • Feature outdated Operating Systems (OS) that are not regularly patched or updated

Despite modernization efforts, state and federal agencies continue to dedicate the majority of their IT budgets to maintaining legacy infrastructure in part because modernization requires even greater time and resources that are not often available to the public sector. Moreover, many mission-critical systems cannot be taken offline long enough to rapidly transition to modern systems without jeopardizing national security, economic stability, or public wellbeing.

The government is not alone in the modernization crisis emphasized by the COVID-19 pandemic. Companies spend as much as 60-80% of their limited IT budgets, maintaining legacy infrastructure. Often, this expenditure amounts to struggling to install updates, racing to patch security vulnerabilities, or improvising system and application compatibilities. As a result, they suffer opportunity costs in the form of innovation, security, and efficiency. Though the media highlighted how a shortage of COBOL programmers impacted state governments and citizens’ ability to apply for unemployment, it is crucial to recognize that many of the healthcare systems essential to pandemic response, such as servers and healthcare operational technology (OT), are also operating on legacy applications and infrastructure.

The COVID-19 pandemic has already stressed the US healthcare sector, disrupted daily life, and impacted the economy. Recovery could take years. If vulnerable healthcare systems fail or are targeted by cyber attackers, patient lives, the fragile healthcare sector, or even national security could be at risk. Public and private sector organizations do not continue to rely on legacy systems out of convenience but out of operational and fiscal necessity. Modernization is a time-consuming and expensive process that requires significant long-term planning, adequate funding, and often requires custom built solutions because many legacy systems were built for a single purpose. In the wake of the coronavirus pandemic, governments at all levels and organizations of every size are justifiably more focused on saving lives than on modernizing infrastructure. Depending on the economic impact of the crisis, many organizations will lack the resources to modernize or even maintain increasingly obsolete systems for years to come. Fortunately, organizations can mitigate the risk to their legacy systems by adopting new, ground-breaking cybersecurity solutions such as Polymorphing.

Polymorphic Solutions Complement Modernization and Mitigate Cyber Threats

Polymorphing solutions can help organizations secure their legacy infrastructure, bridge the patch gap, and incorporate modern features into older applications. These solutions mitigate the risk of compromise by making attacks cost-prohibitive for the adversary. Any resources (time, personnel, exploits, etc.) that an attacker expends to compromise one system do not contribute to their attempts to compromise additional assets. Polymorphic solutions secure unpatched systems without additional administration overhead or resource costs, and it empowers organizations to patch systems when their IT resources allow.

Polymorphing for Linux hardens open-source Linux distributions by running the source code of the chosen distribution through an advanced polymorphic compiler that scrambles the low-level machine code. The result is a Linux stack that has a unique binary makeup (including CPU registers, function locations, memory layouts, and instruction sets) that functions, performs, and operates in a way that is unchanged but is nearly impervious to memory-based attacks.

A Polymorphing Build Farm eliminates the panic to apply critical security patches while delivering enhanced protection during any security-patch gaps. A Build Farm makes it possible to create Point-in-Time Caching, which controls when new code updates are merged into their managed code base and only builds select packages locked at specific versions instead of being forced to rebuild all the Linux packages. This enables an organization running a dated version of Linux to selectively apply new updates that fit their needs, rather than reinstall all Linux packages or accidentally install updates that break their legacy systems. Perhaps more importantly, the technology allows security features from new operating systems and versions to be incorporated into older applications without the need to modernize existing software or hardware effectively extended the life of both the hardware and software while increasing security. Further, public sector solutions allow any agency to own the polymorphic compiler and control the supply chain of protected packages and updates directly on its systems, gaining optimal visibility and management over patching and updates. Polymorphed Linux instances can be generated and deployed to registered devices every 24 hours, providing the ultimate protection against cyberattacks and cyber-warfare.


In this time of crisis, Polymorphing Build Farms afford the flexibility to remain secure and patch when logistically viable without impacting continuity of operations. People are able to apply for the resources they need to survive, and patient lives are not jeopardized due to vulnerabilities and deficiencies in legacy infrastructure. Until organizations recover from the pandemic and resources for comprehensive modernization are more readily available, polymorphic solutions enable government and healthcare stakeholders to focus on helping people survive and recover from the impacts of the COVID-19 pandemic.

Interested in learning more?

Be the first to hear about the latest product releases and cybersecurity news.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.